Solana-based decentralized exchange Raydium suffered an exploit on June 10, 2026, resulting in the unauthorized withdrawal of approximately $1.3 million in cryptocurrency from five inactive liquidity pools. The protocol immediately pledged to fully reimburse all affected users from its treasury, emphasizing that current pools and active traders were never at risk.
On-chain investigator Specter and blockchain security firm PeckShield traced the attack to retired automated market maker (AMM) V3 code that was phased out in 2021. The attacker used a fake mint address to bypass validation checks within these legacy contracts, draining roughly 150,177 RAY tokens, 5,603 SOL, and 893,700 USDC. The affected pools included RAY-SOL, USDC-RAY, and SRM-RAY pairs, all part of the deprecated program.
PeckShield reported that the attacker initially received funds from KuCoin, then bridged the stolen assets from Solana to Ethereum. A portion—approximately 810 ETH—was routed through the sanctioned mixer Tornado Cash, while another 7 ETH went to FixedFloat, complicating fund recovery efforts. Raydium confirmed that no active mainnet programs were compromised and that the legacy pools had been inaccessible through the official user interface since 2021.
The exchange’s swift reimbursement plan mirrors its response to a larger admin key compromise in December 2022, when it also used treasury assets to make liquidity providers whole. Market reaction remained subdued: RAY traded near $0.57, down less than 1%, and SOL slipped roughly 2% to $63.88. The incident underscores a persistent DeFi challenge—inactive smart contracts left on-chain can still harbor vulnerabilities long after protocols abandon them, requiring proactive governance to fully retire or drain legacy pools.
